Analysis

  • max time kernel
    140s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 01:54

General

  • Target

    b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe

  • Size

    1.3MB

  • MD5

    59d981ed9028d3247ef3fca52e62b117

  • SHA1

    e3e3d5233b2665cfdba8caac7ce36b46250bc0f6

  • SHA256

    b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d

  • SHA512

    7f3501e07048a11e6df67806d67fa7078cb798267b944b0269dbe7b80730d1258104d74fc4e5512316624034148116c7020972ac6c3ba3d176e9c78264d17c5c

  • SSDEEP

    24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aQ1CCjqxkKqTBAEnLrhX:4TvC/MTQYxsWR7aQ8Cmx5qrh

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7098045317:AAG_bq6J7neFFo87IXHfNBxKyzNKV56RSAA/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe
    "C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"
      2⤵
        PID:4980
      • C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe
        "C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"
        2⤵
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4016
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"
          3⤵
            PID:2316
          • C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe
            "C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"
            3⤵
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2080
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"
              4⤵
                PID:4384
              • C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe
                "C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"
                4⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:2196
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  "C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"
                  5⤵
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:908
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3896 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:5064

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\aut5426.tmp

            Filesize

            268KB

            MD5

            bfd0a24603de75fbdc525aae0f0c7823

            SHA1

            1c26cdb7b35452bf41b0fd9160acf8e5848a8b93

            SHA256

            531af262fb42e94c46b27f1e7901fcd974f0ca7a7ca3f622e122494dca8997c1

            SHA512

            4588be1d3def44af913ac9492a0ae164602b71155fc6cd6f42ce79cc7623e46df412b15b103d83f3f547be56387e07f17f574fb04dd2c84bd8f084b8df842fb6

          • C:\Users\Admin\AppData\Local\Temp\aut628E.tmp

            Filesize

            9KB

            MD5

            526e21e37285848fdde117dfcee5781c

            SHA1

            cf5a492e49ce089e1d22e6c889bdb37a47f7fb9c

            SHA256

            d01335bb57a5afe6e6ac69dab32d8003133f22fa89ae7c91dec8b1209de7aa2f

            SHA512

            f579ff96507a17684905198b20ac3348e131e585296c54bf14ffd4bd8298a6feea011f41f7fe5a246be217309a66a3b4af2eaf253b256eb165e4afebc5a1f3d7

          • C:\Users\Admin\AppData\Local\Temp\thixophobia

            Filesize

            29KB

            MD5

            313f065560ff4c5ec2331f20ba62cb3e

            SHA1

            7888da3ec7abf884b97bfcff7477b699ff30c237

            SHA256

            986f7f07d819a17795a7cbd79a664195664ac6ff7e835a95cd825e83e9e7ef32

            SHA512

            39dd8ce26003a2921fcff79149e47a71a43a716d99392d0e870330c95f5ebbfe3aa304fe75be0a095c4bdd011f76c5d4b7ac6efda2efe5adeb3ccfa7c1e9fc64

          • memory/536-12-0x0000000003870000-0x0000000003874000-memory.dmp

            Filesize

            16KB

          • memory/908-96-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-120-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-88-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-57-0x00000000051C0000-0x0000000005764000-memory.dmp

            Filesize

            5.6MB

          • memory/908-58-0x0000000004B50000-0x0000000004BA6000-memory.dmp

            Filesize

            344KB

          • memory/908-60-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-68-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-90-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-118-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-116-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-114-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-112-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-93-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-108-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-106-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-104-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-100-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-98-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-54-0x0000000000400000-0x0000000000447000-memory.dmp

            Filesize

            284KB

          • memory/908-94-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-110-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-55-0x0000000000400000-0x0000000000447000-memory.dmp

            Filesize

            284KB

          • memory/908-56-0x0000000004AB0000-0x0000000004B08000-memory.dmp

            Filesize

            352KB

          • memory/908-86-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-84-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-82-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-80-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-78-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-74-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-72-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-70-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-66-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-64-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-62-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-102-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-76-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-59-0x0000000004B50000-0x0000000004BA1000-memory.dmp

            Filesize

            324KB

          • memory/908-1193-0x0000000004D80000-0x0000000004DE6000-memory.dmp

            Filesize

            408KB

          • memory/908-1195-0x0000000005F30000-0x0000000005F80000-memory.dmp

            Filesize

            320KB

          • memory/908-1196-0x0000000006220000-0x00000000062BC000-memory.dmp

            Filesize

            624KB

          • memory/908-1197-0x00000000062C0000-0x0000000006352000-memory.dmp

            Filesize

            584KB

          • memory/908-1198-0x00000000064A0000-0x00000000064AA000-memory.dmp

            Filesize

            40KB